CVE-2022-34784: 
Java vulnerability analysis and mitigation

Jenkins build-metrics Plugin version 1.3 contains a stored cross-site scripting (XSS) vulnerability identified as CVE-2022-34784. The vulnerability was disclosed on June 30, 2022, and affects the build description view functionality of the plugin. This security issue impacts Jenkins installations using the build-metrics Plugin version 1.3 or earlier (Jenkins Advisory, NVD).

The vulnerability exists because the build-metrics Plugin fails to properly escape the build description on one of its views. The severity is rated as High with a CVSS v3.1 Base Score of 5.4 (MEDIUM) and vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. The CVSS v2.0 Base Score is 3.5 (LOW) with vector string (AV:N/AC:M/Au:S/C:N/I:P/A:N) (NVD).

The vulnerability allows attackers with Build/Update permission to execute stored cross-site scripting attacks through the build description view. This could potentially lead to the execution of malicious JavaScript code in the context of other users' browsers who view the affected build descriptions (Jenkins Advisory).

As of the advisory publication date, no fix was available for this vulnerability in the build-metrics Plugin. Users are advised to assess their risk and consider restricting Build/Update permissions to trusted users until a fix becomes available (Jenkins Advisory).